{"id":242869,"date":"2026-07-13T16:41:00","date_gmt":"2026-07-13T20:41:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/07\/13\/pentagon-suspends-cmmc-phase-two-requirements-launches-review-of-program\/"},"modified":"2026-07-13T16:50:12","modified_gmt":"2026-07-13T20:50:12","slug":"pentagon-suspends-cmmc-phase-two-requirements-launches-review-of-program","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/07\/13\/pentagon-suspends-cmmc-phase-two-requirements-launches-review-of-program\/","title":{"rendered":"Pentagon suspends CMMC phase two requirements, launches review of program"},"content":{"rendered":"<p><a href=\"https:\/\/federalnewsnetwork.com\/cybersecurity\/2026\/07\/pentagon-suspends-cmmc-phase-two-requirements-launches-review-of-program\/\">Pentagon suspends CMMC phase two requirements, launches review of program<\/a><\/p>\n<p><a href=\"https:\/\/federalnewsnetwork.com\/cybersecurity\/2026\/07\/pentagon-suspends-cmmc-phase-two-requirements-launches-review-of-program\/\">https:\/\/federalnewsnetwork.com\/cybersecurity\/2026\/07\/pentagon-suspends-cmmc-phase-two-requirements-launches-review-of-program\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-07-13 16:41:00<\/a><\/p>\n<p>Source Domain: <a href=\"federalnewsnetwork.com\">federalnewsnetwork.com<\/a><\/p>\n<p>Author: <a href=\"\"><\/a><\/p>\n<p> Using an unordered list, summarize the following article with between 4 and 8 key points. <\/p>\n<p>                    DoD CIO Kirsten Davies is suspending plans to ramp up CMMC third-party assessments, as part of a review that casts doubt on the future of the current program.<\/p>\n<p>        Justin Doubleday@jdoubledayWFED<\/p>\n<p>                July 13, 2026 4:39 pm<br \/>\n            2 min read        <\/p>\n<p>                    The Pentagon is suspending the ramp up of new Cybersecurity Maturity Model Certification third-party assessment requirements, while also launching a sweeping review of the CMMC program that once again calls into question the future of the contractor cyber compliance regime.<br \/>\nIn a July 13 announcement, the Defense Department said it is suspending plans to introduce phase two of the CMMC requirements. That would have involved DoD requiring third-party cybersecurity assessments across all contracts involving sensitive but unclassified information starting Nov. 10, 2026.<br \/>\nDoD says the phase one requirements for applicable contracts to require a CMMC self-assessment, which went into effect last November, remain in force.<br \/>\nBut the Pentagon is now launching a 60-day, \u201ctop-to-bottom\u201d review of the certification program, according to a July 13 memo signed out by DoD Chief Information Officer Kirsten Davies.]]><\/p>\n<p>The memo suggests that the CMMC program, as currently planned, conflicts with Defense Secretary Pete Hegseth\u2019s Acquisition Transformation System initiative\u2019s focus on eliminating bureaucracy and enabling innovation.<br \/>\n\u201cThe current iteration of the Cybersecurity Maturity Model Certification (CMMC) program, while intended to enhance security, imposes significant and often prohibitive burdens on the Defense Industrial Base (DIB), particularly the small and non-traditional businesses that are the engine of American innovation,\u201d Davies wrote. \u201cWhile cybersecurity is essential, administrative compliance cannot come at the cost of warfighting capability and industrial base growth.\u201d<br \/>\nDavies\u2019 memo points to \u201crecent data and feedback\u201d that suggest \u201cthe current CMMC program is structurally incompatible with our need to rapidly expand the DIB.\u201d The memo specifically references reports from the Small Business Administration, which has raised previously concerns about CMMC compliance costs.<br \/>\n\u201cThe combination of prohibitive compliance costs, severe shortages in third-party assessment capacity, and complex regulatory timelines is actively forcing innovative new entrants and small businesses to opt out of [DoD] contracts and freezing critical suppliers out of the market,\u201d Davies wrote.<br \/>\nDavies has tasked the 60-day \u201cCMMC Reform Task Force\u201d with providing recommendations on a framework that \u201cprioritizes speed to capability, lowers barriers for small, medium, and non-traditional businesses, and replaces prohibitive, third-party compliance models with scalable, realistic security measures.\u201d<br \/>\nIn addition to the previous November deadline for third-party assessments to ramp up, the memo suspends all pending and future CMMC milestones \u201cuntil further notice.\u201d DoD programs can continue including CMMC self-assessment requirements in contracts.<br \/>\nIn advance of the November deadline, some DoD program offices had already begun requiring audits by CMMC third-party assessment organizations (C3PAOs).]]><\/p>\n<p>During the suspension, DoD will continue using the self-assessments and select government-led assessments. Davies wrote that DoD will focus on \u201ctangible cyber hygiene rather than third-party certifications and bureaucratic, high cost-imposing red tape.\u201d<br \/>\n                    Copyright<br \/>\n                            \u00a9\u00a02026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.<\/p>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Pentagon suspends CMMC phase two requirements, launches review of program https:\/\/federalnewsnetwork.com\/cybersecurity\/2026\/07\/pentagon-suspends-cmmc-phase-two-requirements-launches-review-of-program\/ Publish Date: 2026-07-13 16:41:00&#8230;<\/p>\n","protected":false},"author":1,"featured_media":242870,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/federalnewsnetwork.com\/wp-content\/uploads\/2025\/01\/GettyImages-1197780051-scaled.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24],"class_list":["post-242869","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/242869"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=242869"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/242869\/revisions"}],"predecessor-version":[{"id":242871,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/242869\/revisions\/242871"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/242870"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=242869"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=242869"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=242869"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}